At the time of the filing of the U.S. provisional patent application upon which this application claims priority, in the Internet Protocol version 6, no timely support existed for authorization using three-party trust model with a mobile client, the authorizer, and a server or service each residing in a separate security domain. This was also the case for smart-card based authorization of network-layer services using IPv6 network-level protocols. Practical deployment of publicly used resources requires that network-level services such as network access or network identity (IP address) usage be authorized for users willing to pay for these services.
Authorization and authentication in the Internet Protocols traditionally employ a two-party trust model. With network access authorization, e.g., dialup services, clients are authorized with protocols like Radius, where the client and the provider are the two parties, or DIAMETER-based authorization of, e.g., Mobile IP or Mobile IPv6-based access, where a client and the routing identity provider (home domain) are the two parties involved. A two-party trust model may be considered a special case of the three-party model, e.g., when the service provider and the authorizer collapse into one entity.
In both of the protocols identified above, keys are negotiated directly between the client and the service owner. In the Internet Key Exchange (IKE), this two-party model is assumed, even though trust is delegated by a Public Key Infrastructure (PKI) where a trusted third party provides keys for secure key exchange. The keys issued under this model are used for securing a key exchange channel. The keys are not associated with requesting a particular service. The availability of a public key does not represent authorization of a service by a third party issuing or making the key available. A user can get a key for securing channel for session key exchange, but the party providing the channel key has no control over the purpose of the key negotiated through this channel.